Skip to Content

Exist a simple way to recover a password from a SAP BO BI Relational Connection with few code lines when you forgot or when you need to see if all security rules in your security baseline are working as expected and nobody can discover database connection passwords used for SAP BO BI reports with a simple logon and a simple application. Also you can test with your non-administrator username to see if you can see the password.

The code is based in SAP BO SDK  Java or .NET and in the test done was passing some parameters: CMS System, Username, Password, Kind of Authentication and CUID of the connection.


1. Main Source Code

I adapt and change from the original code used in my connector “SBOPRepositoryExplorer” to explore CMS repository using a simple universe in real time (How to explore SAP BusinessObjects BI CMS Repository) and I did a test to check the vulnerability. By SAP Copyright policies I’m not allow to publish the content.

2. Create a simple user in CMC associated to group everyone

Create in CMC a simple user without any other group than everyone:

CMC1.png

CMC2.png

3. Create a simple connection from some database


For example in IDT create a simple relational connection to test.

IDT.png

In our example username is “userOracleTst” and password “simplePassword123.”.


4. Test from command line

“C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise XI 4.0\win32_x86\sapjvm\bin\java.exe” -jar “D:\app\Tools\ConnectionProperties.jar”  BO4Server tstuser simplePassword123. secEnterprise Ace8qbWCgDlFvUmUYlHxuHs

Where ConnectionProperties.jar is a compiled application to check the content of the connection.


BO4Server is the CMS server.

tstUser is the usermane.

simplePassword123. is the password.

secEnterprise is the authentication method used.

Ace8qbWCgDlFvUmUYlHxuHs is the CUID of the connection created.

/wp-content/uploads/2014/05/result_656432.png

5. Workaround

It can be a little bit dangerous that anyone with a simple username in BO can discover our DB password connection. This right has been introduced in BI 4.0 SP3 to secure the connection parameters –typically username, pwd, servername– that were downloaded for Web Intelligence offline. Indeed, Web Intelligence offline needs to keep a copy of the connection (username, pwd, servername…) in order to access the DB without being connected to the CMS. To address the danger of this approach, it is possible to deny the right in the CMC via the option “Download connection locally”.

If the right “Download connection locally” is granted, you can use WebI offline, but  cnx parameters can be downloaded.

If the right “Download connection locally” is denied, all sensitive cnx parameters remain on the CMS and thus WebI cannot be used offline anymore. As the cnx parameters remain on the CMS, then all DB access are performed server side.

For more information see p. 845 in the Business Intelligence Platform Administrator Guide

6.Check your connection’s security

If you need to check if your SAP BO BI platform is well configured with SAP BO BI Connections, then you can use the free option of the SBOPRepositoryExplorer tool.

Jorge Sousa

To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Andy Silvey

    Hi Jorge,

    the blog is presenting a major security vulnerability, this reminds me of the Invoker Servlet security vulnerability in the Portal.

    To confirm, you are saying:

    1) If a SAP Customer wants offline access to WebI

         then

              they must grant the right DownloadConnectionLocally

         in_which_case

              the security vulnerability of downloading connection parameters is opened up

    2) If the right “Download connection locally” is denied,

         then

              all sensitive connection parameters remain on the CMS

                   and

              WebI cannot be used offline anymore.

         this_is_because

              the connection parameters remain on the CMS, then all DB access are performed           server side

    Is there an alternative to setting up offline WebI access without granting rights to DownloadConnectionLocally ?

    Thanks and best regards,

    Andy.

    (0) 
    1. Jorge Sousa Post author

      Hi Andy,

      IMHO there is no other way with the options that we have available actually in BO. The other way is providing a patch having the same behavior than BEx connections (connection credentials are encrypted) and then it is not necessary.

      We only can use WRC in offline mode but without the option to refresh data with “DownloadConnectionLocally” denied.

      Thanks again and best regards,

      Jorge Sousa

      (0) 

Leave a Reply